Back to top

Cyber Threats as a Result of COVID-19: Part 4

Ravi Das

Introduction

In this blog series, we have examined numerous threats such as:

In the final post on this topic, we focus on what could be deemed as one of the older threat vectors out there – social engineering.

What Is Social Engineering?

Social engineering involves testing your employees’ security awareness when confronted with an unauthorized third-party attempting to manipulate the employee into disclosing confidential information. Such tests provide insight into how effective your organization’s policies and procedures are at mitigating social engineering threats, how well the employees adhere to established policies and procedures, and the level of security awareness that exists among employees.

Social engineering takes advantage of the following two considerations to be successful:

  • Weaknesses in human behavior
  • Well-designed fraud

At present, the two most prevalent social engineering attacks during the pandemic are as follows:

1. The Funds Transfer Fraud:

This is a form of a BEC attack and was reviewed in some detail in part 1 of this series.  In this instance, a bad actor will claim to be a higher-level ranking employee of the company. It can attempt to scare an employee, such as an administrative assistant, into transferring a large sum of money to a phony organization.

It is important to note here that these kinds of social engineering attacks have cost corporate America at least $75,000 per incident, if not more. (SOURCE:1)

2. The Invoice Manipulation:

In these kinds of instances, the bad actor sends out fake but genuine-looking invoices via email to the Finance or Accounting departments of a particular company.  The email could state that service delivery could decline and have a cascading impact unless payment is immediately made to the bad actor.  This will create a sense of urgency for those responsible for making the actual payment.

This kind of attack has had a substantial financial impact, as it has contributed to well over $26,000,000.00 in financial losses to Corporate America. (SOURCE:  2)

Other Types Of Social Engineering Attacks

Although phishing and its variant forms are the most common social engineering attacks, there are others as well:

  • Water Holing: In this kind of scenario, the bad actor will replicate a trusted website and use similar URLs to deflect them to a fake website.  From the fake website, the bad actor will collect login credentials or protected information.
  • Pretexting: In this scenario, a bad actor will use some preexisting knowledge that they have about the victim (such as birthdate, schools attended, medical condition, etc.) to develop further dialogue with them.  Unlike the other types of scenarios, this form of social engineering can take time to develop, as the bad actor is trying to establish a certain level of trust with the victim.  The goal is to have the victim eventually divulge confidential information. The bad actor can then use it to gain a covert foothold into the network and disrupt service delivery.

Conclusions

Our next blog series will examine yet another critical component affected by the pandemic - critical infrastructure. This includes water, oil, or natural gas supply, the national electric grid, nuclear facilities, and the railway system.  These are places that most likely utilize legacy security systems, making them a prime target for the bad actor.

If any of these topics are raising more questions about your organization’s cybersecurity posture, than it may be time for a conversation with our experts. Please contact us today; we’re here to help.

Sources

  1. https://searchsecurity.techtarget.com/definition/social-engineering
  2. https://blog.cyber-armada.com/articles-and-resources/social-engineering-threats-to-the-supply-chain-during-covid-19